Skip to content Skip to navigation

Consumer data privacy after bankruptcy

Is current bankruptcy policy adequate to protect consumer data?

Balancing rights and interests seems to be at the core of privacy policy.  Privacy interests are pitted against other key social goals, like national security, research and innovation.  Sometimes even different types of privacy interests are in tension with each other.  As a legal forum, bankruptcy (particularly commercial bankruptcy) is all about trading off interests and equities: for example, should creditors be compelled to take a haircut in their claims in order to preserve a viable but insolvent going concern or to avoid loss of jobs and harm to communities?  Contract rights of all kinds are often altered in bankruptcy in order to achieve such bankruptcy goals: notably, a debtor can cure a breach and pay a fraction of the damages that it inflicted on others, so that the debtor might reorganize and continue.  Even – and lamentably for some commentators – property rights are compromised for the sake of a broader social good.  The underlying principle is that if someone can be made off while leaving everyone else no worse off economically, then this result is socially desirable.  In some contexts, the Code achieves this by requiring that the affected party’s interest be “adequately protected”.

In the amendments to the Bankruptcy Code in 2005, Congress passed legislation to protect consumers against the sale of personal identifiable information (PII) by the debtor when it would violate that debtor’s privacy policy outside of bankruptcy (e.g. if the privacy policy says that such information would not be shared with any unaffiliated third party).  The legislation might have clearly prohibited such a sale, thereby enforcing the rights of the consumers outside of bankruptcy under the privacy policy.  Instead, the section is more complicated and leaves open the door to allowing transfers of PII that could not occur outside of bankruptcy.  The motivating principle of bankruptcy -- making some people better off without impairing the position of anyone else – is thereby given room to do its work.

And, this has happened.  Of course, many companies are anticipating and providing for data transfers when their assets are sold in or outside of bankruptcy.  But, even if the privacy policy does not permit such transfer, the Code provides a way out: a consumer privacy ombudsman is appointed and the court can approve the sale of PII, contrary to the terms of privacy policy, if it has given “due consideration to the facts, circumstances, and conditions of such sale or such lease” and has found “no showing …that such sale or such lease would violate applicable nonbankruptcy law.”  With the participation of the FTC and state consumer protection agencies, the common approach is to protect the underlying privacy concerns of the consumers -- by requiring that the buyer be in materially the same line of business as the seller and be bound by the other terms of the privacy policy -- and provide the consumers with an opt-out right in lieu of their right to consent outside of bankruptcy.  The fundamental bankruptcy principle is at work here and de facto adequate protection: bankruptcy can alter the terms of the privacy policy for the benefit of the debtor provided that the court finds that consumers are left no worse off.

-George Triantis

 

Read more of the blog